- NIST Changes National Vulnerability Database Enrichment Process Due to Increase in CVE Submissions
- 263% increase since 2020; priority now given to KEV records, federal software, and critical software under EO 14028
- Other CVEs are considered “lowest priority”, but users can request enrichment via email if necessary
The number of reported vulnerabilities has increased so much that it forced the National Institute of Standards and Technology (NIST) to change how it ‘enriches’ each entry.
Until now, NIST would take a basic CVE record and add structured analysis to make it more useful in the National Vulnerability Database (NVD). It usually includes severity scoring (CVSS), affected products (CPE), vulnerability classification (CWE) and additional metadata.
But between 2020 and 2025, there has been a 263% increase in CVE submissions, NIST said, adding that it doesn’t expect the trend to let up anytime soon. “Submissions during the first three months of 2026 are almost a third higher than the same period last year,” it said.
The article continues below
Prioritization of KEV-listed
In order to keep up with the increasing demand, NIST sets certain criteria. Posts that meet them will be enriched as soon as possible, while those that do not will have to wait. NIST did not say that it would not enrich these “lowest priority” entries at all, but if the agency is inundated with new entries every day, it is safe to assume that many will never be covered.
As of April 15, NIST said it would prioritize CVEs that appear in CISA’s Known Exploited Vulnerabilities (KEV) catalog, CVEs for software used within the federal government, and CVEs for critical software as defined in Executive Order 14028.
Everything else will be considered “lowest priority,” but NIST says that doesn’t mean other CVEs won’t have a significant impact on affected systems.
“These criteria may not capture all potentially high impact CVE,” it warned. “Therefore, users may request enrichment of any lowest priority CVEs by emailing us at [email protected]. We will review these requests and schedule the CVEs for enrichment as resources allow.”
A full definition of critical software and a description of the new workflow can be found on this page.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
